diff options
author | Scott Violet <sky@chromium.org> | 2020-11-11 16:14:40 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-12-07 22:24:40 +0000 |
commit | 05386001f90b9b2414b0feb8a2b2cf592246213e (patch) | |
tree | 4556bc610042f6d3d217ca8fa1889cc3cca9f4dd | |
parent | 117abfcce740660b30c07d5af7cf82475bdc554f (diff) | |
download | qtwebengine-chromium-05386001f90b9b2414b0feb8a2b2cf592246213e.tar.gz |
[Backport] CVE-2020-16024: Heap buffer overflow in UI
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2531118:
ui: CHECK that UnPremultiply is passed a 32bpp image
To do otherwise results in accessing random data.
BUG=1147430
TEST=none
Change-Id: Icedacbaac64cad3fc903e6423c6f9aad8c1e8cb5
Commit-Queue: danakj <danakj@chromium.org>
Reviewed-by: danakj <danakj@chromium.org>
Cr-Commit-Position: refs/heads/master@{#826300}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/ui/gfx/skbitmap_operations.cc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/chromium/ui/gfx/skbitmap_operations.cc b/chromium/ui/gfx/skbitmap_operations.cc index 2d1c9c1f837..d2b474f1d77 100644 --- a/chromium/ui/gfx/skbitmap_operations.cc +++ b/chromium/ui/gfx/skbitmap_operations.cc @@ -630,6 +630,8 @@ SkBitmap SkBitmapOperations::UnPreMultiply(const SkBitmap& bitmap) { return bitmap; if (bitmap.alphaType() != kPremul_SkAlphaType) return bitmap; + // It's expected this code is called with a 32bpp image. + CHECK_EQ(kN32_SkColorType, bitmap.colorType()); const SkImageInfo& opaque_info = bitmap.info().makeAlphaType(kUnpremul_SkAlphaType); |